AI Security Review
scanned 13h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AstraSync verification/registration SDK with explicit CLI, middleware, Cursor adapter, and git-hook guard features.
Decision evidence
public snapshot- dist/git-trigger/git-hooks.js can write/remove managed .git hooks when installGitHooks/uninstallGitHooks are explicitly called.
- dist/cursor/cursor-adapter.js registers Cursor/VS Code file event listeners when initialized by an extension host.
- dist/registration/index.js reads ASTRASYNC_API_KEY/ASTRASYNC_API_URL unless disableEnvFallback is set.
- package.json has no preinstall/install/postinstall; only prepublishOnly build lifecycle.
- dist/bin/astrasync.js only runs when the astrasync bin is invoked and performs register/verify/health API calls.
- Network calls are package-aligned verification, registration, auth, policy upload, ownership, or documented payment/JWKS endpoints.
- No credential harvesting, broad filesystem scanning exfiltration, remote payload loading, eval, or install-time AI-agent control mutation found.
- Git hook writes are explicit exported/user-command functionality and avoid overwriting non-AstraSync hooks.
Source & flagged code
3 flagged · loading sourcedist/git-trigger/git-hooks.js can write/remove managed .git hooks when installGitHooks/uninstallGitHooks are explicitly called.
dist/git-trigger/git-hooks.jsView on unpkgdist/cursor/cursor-adapter.js registers Cursor/VS Code file event listeners when initialized by an extension host.
dist/cursor/cursor-adapter.jsView on unpkgdist/registration/index.js reads ASTRASYNC_API_KEY/ASTRASYNC_API_URL unless disableEnvFallback is set.
dist/registration/index.jsView on unpkg